Forum management
- Threads started by me
- Threads I participate in

Developer forum

Dynamicweb cookies

Mario Santos

Posted on 01/03/2017 12:01:15

Hi,

Is there any DW setting to set the Dynamicweb and Dynamicweb.SessionVisitor cookies to be Http only? Also, is there a way to set DW cookies as secure?

https://www.screencast.com/t/8Q20G6Lj3fx

Thank you, Mário

Replies

Nicolai Pedersen

Posted on 01/03/2017 12:08:59

Hi Mario

It is not possible to set those cookies to httponly. Also you cannot set them to secure (which would make the cookie only work over https).

BR Nicolai

Mario Santos

Posted on 01/03/2017 12:28:09

Hi Nicolai,

We have a customer that ran the website into vulnerability analysis and pointed those 2 items (the website has https), can this be a feature request? Probably taking the secure atribute based on the http protocol and forcing other DW cookies to HTTP only?

BR, Mário

Nicolai Pedersen

Posted on 01/03/2017 12:46:25

This post has been marked as an answer

Hi Mario

Setting secure on https requests only kind of defeats its purpose. The purpose of the flag is to ONLY send the cookie if https is active. Meaning stuff will stop working (i.e. login) if the user is not on https.

We should add support for httponly by default - agree on that. Choosing cookies to be secure, requires some sort of configuration to implement.

Added to backlog, TFS#31103 for 9.3

You can create a notification subscriber that will change the cookie flags if needed.

Votes for this answer: 1

Mario Santos

Posted on 01/03/2017 13:00:42

Thank you Nicolai!

Jacob Bertelsen

Posted on 06/06/2017 10:51:31

Hi Nicolai,

I assume this issue is still slated for 9.3 .
Will it be for the 9.3-release, or a specific subversion of 9.3? :)

Nicolai Pedersen

Posted on 06/06/2017 22:51:35

9.3.0 is its schedule.

You must be logged in to post in the forum